Because I had a radius server ready with a group and secret present, was more easy for me if I can acomplish to have some linux machines to authenticate clients via the same radius server. Looks like it was not that easy that I was thinking. I tried multiple options like this and this but I failed.

Digging online, I found a solution and a workaround and I think it make sense to share this here. A very old unsupported application shared a way how to authenticate using a radius server (freeradius as a example).

It is possible to authenticate using the Radius Authentication protocol by a Radius server.
Make sure you install the following PAM to RADIUS authentication module that should be available in any debian/ubuntu distribution. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests. You will need to supply your own RADIUS server to perform the actual authentication.

apt-get install libpam-radius-auth

I would love to see another module available as a package but unfortunately needs to be clone and compile. ibnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. Basically is used to map your RADIUS authenticated users onto a locally provisioned user.

To do that you need to clone the github repository, make sure you have git installed or you can install it with:

apt-get install git

Then you can do this:

~# git clone https://github.com/donapieppo/libnss-ato
Cloning into 'libnss-ato'...
remote: Enumerating objects: 164, done.
remote: Total 164 (delta 0), reused 0 (delta 0), pack-reused 164
Receiving objects: 100% (164/164), 31.91 KiB | 1.28 MiB/s, done.
Resolving deltas: 100% (78/78), done.
~# cd libnss-ato/
~# make
gcc   -fPIC -Wall -shared -o libnss_ato.so.2 -Wl,-soname,libnss_ato.so.2 libnss_ato.c
make gcc     libnss_ato_test.c   -o libnss_ato_test
~# make install
# remeber  /lib/libnss_compat.so.2 -> libnss_compat-2.3.6.so
/usr/bin/install -m 644 libnss_ato.so.2 ""/lib/libnss_ato-2.3.6.so
/usr/bin/install -m 644 libnss-ato.3 ""/usr/share/man/man3
cd ""/lib && ln -fs libnss_ato-2.3.6.so libnss_ato.so.2
~#

Add radius and secret to the configuration file:

nano /etc/pam_radius_auth.conf

Make sure you remove all other servers and at the end add the radius servers. If you have only one, just add only one.

192.168.1.100                secret_key_for_the_first 5
192.168.2.100                secret_key_for_the_second 5

Create a file configuration for libnss-ato:

nano /etc/libnss-ato.conf

and paste this:

radius_user:x:1000:1000:,,,:/home/pi:/bin/bash

The PAM configuration file for the sshd and login processes are found at /etc/pam.d/sshd and /etc/pam.d/login respectively.
Add this line on the top of both files:

auth sufficient pam_radius_auth.so

The NSS configuration file is found at /etc/nsswitch.conf. The top three entries in this file will look as follows:

passwd:   compat ato
group:    compat
shadow:   compat ato

To test if authentication works, open another session and from cli run:

tail -f /var/log/auth.log

After you are logged in using your radius account, you ca run:

who
last

This has been tested on a Raspberry Pi 4 using:

~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"